Chase Doesn't Encrypt Your Login Credentials?

By cwaltersJuly 2, 2008

We’re not IT experts or anything, but when Chase writes that “all your account information is protected by 128-bit encryption to maintain the privacy and confidentiality of your data,” shouldn’t that mean a little lock icon on the browser window, and an https address? Update: Not necessarily, according to our commenters, although the lack of an https login screen does pose other security risks.

A reader named Ben writes,

Chase.com doesn’t know how to protect their customers passwords. Their login page does not use a secure connection
(see attached). It uses http instead of https. That means that your password is not encrypted when submitted, which is pretty bad for a financial site. (However, they do care enough to include a meaningless, fake “secure” lock icon next to the login form.) I spoke with them a month ago, but they haven’t changed anything.

Once you’ve logged in, everything is encrypted, but that initial password transmission on the home page isn’t. Fortunately, if you’re a Chase customer you can change the address manually to https (just add an “s” to the end of the “http” and hit your enter key) to trigger the encryption.

Note: A couple of initial comments were lost from this post, but we thought this one from beavis88 was good to know:

As long as the target of the form is an https url (and it is), the data will be encrypted. This is bad form, no question, but they are not total and complete idiots at least.